Mastodon delays firm fix for link previews DDoSing sites

Updated Mastodon has pushed back an update that's expected to fully address the issue of link previews sparking accidental distributed denial of service (DDoS) attacks.

The problem with link previews hitting sites with bursts of traffic has been observed for over a year now, and although version 4.3.0 was slated to have a formal fix for the oversight, it no longer does after Mastodon CTO Renaud Chaput delayed the remedy to version 4.4.0, as seen on the project's GitHub page.

We understand a mitigation short of a full fix is in place in the meantime that should reduce the link preview load on sites.

Mastodon's penchant for inadvertently DDoSing websites stems from the decentralized nature of the social network.

Many websites and apps offer previews of their online content that usually each contain a headline, a subheadline, a small excerpt, and an image. When someone on Mastodon posts a link to that content, their Mastodon instance fetches the preview from the content's host server to display in people's Mastodon feeds.

Now remember that Mastodon is a fediverse made up of thousands of individual servers that are interconnected and propagate people's posts. As a post with a link spreads, each Mastodon server involved in bringing that post to users makes its own request to the link's host server to fetch and display the preview.

This can easily snowball one link preview into hundreds or thousands of fetches for the content's host server, which starts to look like a DDoS. In worst-case scenarios, sites can be overwhelmed and left unable to serve other visitors; in a lot of cases, we imagine sites are able to absorb the hit using a CDN or well-configured servers.

The impact of generating an excessive amount of link previews was detailed by the It's FOSS News blog, in a post last week titled: "Please Don’t Share Our Links on Mastodon."

"I believe we have 15,000 followers, and that gives us a decent reach," the post reads. "And, as a result, we get affected for a couple of minutes in a day, for readers to encounter 504 Gateway Timeout error or the webpage being unresponsive for a few seconds, whenever a link is shared on mastodon.social instance (primarily)."

• Critical vulnerability in Mastodon is pounced upon by fast-acting admins
• Meta connects Threads to the Fediverse
• Mastodon makes a major move amid Musk's multiple messes
• At last: The BBC Micro you always wanted, in Mastodon form

Link preview DDoS problems aren't the only drawback that comes with decentralization. When a Mastodon vulnerability rated 9.4 out of 10 on the CVSS severity scale was revealed in February, it meant every single instance needed to update. While the vast majority of servers are now running a patched version, there are still plenty of vulnerable Mastodon servers operating according to FediDB.

While the upcoming 4.3.0 patch nearly done, according to Chaput, to us it appears 4.4.0 is in an early stage of development. We've asked the Mastodon project on what the timeline for version 4.4.0 and what its anti-DDoS fix looks like. ®

Updated to add

Chaput told us a full fix for the DDoS issue was pushed back to 4.4 due to the work involved. He told us: "There is currently nothing to federate link previews in the ActivityPub protocol, on which Mastodon is based. We need to find a way to do it, write a specification for it, get approval of other implementers, and implement it. This requires significant work and our core development team is 1.5 developers right now."

Nonetheless, the CTO assured us a stop-gap fix has been developed and distributed, which basically should address the problem for most people:

"In any case, this is on our 4.4 roadmap, and I hope we will have found both a working solution and the time to implement it by then," he added. Chaput also argued this issue isn't specific to Mastodon and instead affects "every Fediverse implementation."